I have done some digging and haven't really seen anything, so if it has been posted, im sorry.
Currently we have a /29, the fortigate ends with a 234. I have a couple diff vlans, traffic wise that g out separate IP's. I would like to make all VPN traffic on the 236 vs the default 234 ip that is the fortigate, is this possible?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I have done this before but because the SSLVPN listens specifically on the interface assigned IP you actually need to do a VIP to send the SSLVPN port traffic on, in your case, 236 to 234
And then a WAN to WAN ipv4 policy using that VIP
So, since you need to VIP it and it still depends on the interface IP, it may not actually accomplish what you want
So it looks like im sticking with that default IP. i would think at this point we would be able to decide what IP we want this to listen on especially since all the publics will typically be on that one interface anyway.
Thank you brycemd
You can do it and make a different IP work without using a VIP, but it's a little weird.
I create secondary IPs on the wan interface, and use one of them for SSL-VPN. Use local-in-policy to block any SSL to the primary IP and allow it just to the secondary IP. The SSL-VPN will tell you it is listening on the primary IP but it is actually listening on the interface and will accept the SSL connection on the secondary IP.
Not sure if there is a cleaner/better way to this. Would love to hear it if there is.
So I have a slightly different situation where I'm doing BGP with 2 different ISPs and want my SSL VPN to still work when one or the other goes down. What I ended up doing is creating a loopback interface for my VPN to listen on and then creating a VIP from my public, BGP-announced subnet that NATs to that loopback IP. I think that may be a cleaner option for both of y'all even though you're not necessarily dealing with the 2 ISPs issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1528 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.